Facebook’s security, particularly in relation to third-party apps, has been brough into question again this week. It was discovered by security firm Symantec that some programs were inadvertently sharing access tokens, which could in theory be used by advertisers. As of last month, up to 100,000 applications were still enabling leaks.
The access tokens are essentially ‘spare keys’ to a Facebook user’s account. These ‘keys’ will typically be given out, with the user’s permission, to aid applications on the Facebook platform junction. Normally, applications with the keys could access a user’s profile and photographs, as well as posting messages on their wall – for example when you complete a quiz or get a high score on a game which is a Facebook app, it will post on your wall with the results.
However, the newly-discovered weakness in the old authentication method would allow millions of access tokens to be passed to further third-parties – likely to include advertisers – through referral data. However Symantec’s Nishant Doshi downplayed the risk, adding: “Fortunately, these third-parties may not have realised their ability to access this information.”
Kevin Purdy, Facebook’s director of developer relations disputed the findings. He said: “We’ve conducted a thorough investigation which revealed no evidence of this issue resulting in a user’s private information being shared with unauthorised third parties.”
To further ease user anxiety, Paul Mutton, a security analyst at Netcraft, said that while the vulnerability could potentially be used for malicious purposes, no secure data such as passwords has been taken.